The getCN function in Apache Axis 1.4 and earlier does not properly verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via a certificate with a subject that specifies a common name in a field that is not the CN field. NOTE: this issue exists because of an incomplete fix for CVE-2012-5784.
References
Configurations
Configuration 1 (hide)
|
History
13 Feb 2023, 00:40
Type | Values Removed | Values Added |
---|---|---|
Summary | The getCN function in Apache Axis 1.4 and earlier does not properly verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via a certificate with a subject that specifies a common name in a field that is not the CN field. NOTE: this issue exists because of an incomplete fix for CVE-2012-5784. | |
References |
|
02 Feb 2023, 20:17
Type | Values Removed | Values Added |
---|---|---|
References |
|
|
Summary | It was discovered that Axis incorrectly extracted the host name from an X.509 certificate subject's Common Name (CN) field. A man-in-the-middle attacker could use this flaw to spoof an SSL server using a specially crafted X.509 certificate. |
Information
Published : 2014-08-27 00:55
Updated : 2023-12-10 11:31
NVD link : CVE-2014-3596
Mitre link : CVE-2014-3596
CVE.ORG link : CVE-2014-3596
JSON object : View
Products Affected
apache
- axis
CWE